Android's Uncurated App Marketplace Draws Criticism, Google Activates 'Kill Switch' on Two Apps

[ArtOfWarfare]

wow?? doesnt anyone else get concered by this??

i think the more concerning thing is a killswitch... can they control your phones???

No, they can delete applications from your phone if it appears to be malicious. Given that Apple has two staff members check every app before it's released into the app store, it seems highly unlikely that any malicious app will ever appear on the store, and to date, the "kill switch" has never been used.

It seems like a fair assumption that if they ever did pull this "switch" that users who were affected would be refunded for the app, but a malicious app would probably be free anyways.

Beyond that, no, they can't really control your phone.

 

[ramuman]

This in place, just in case a malicious application is distributed. It's both a good thing and a scary thing. As of right now, even though Google has potential to be EVIL, I have more faith in them than Apple -- who's already demonstrated they'll abuse their position.

Right...Google just want to save your search history, packets on open WiFi networks, and your voicemail out of the goodness of their hearts. They also want to scan and post for free copyrighted books because they love spreading knowledge. Give me a break.

 

[MikhailT]

The executable comment is simply not true, read the security blog an sandboxing for android: http://developer.android.com/guide/topics/security/security.html

It's not the security that's the issue, it's the ease of hackers being able to let in spyware/malware into their "seeming legit" applications and put it on the market. There are no systems in place at the marketplace to make sure that the developers aren't intentionally misleading users.

Directly from your link,

A central design point of the Android security architecture is that no application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user. This includes reading or writing the user's private data (such as contacts or e-mails), reading or writing another application's files, performing network access, keeping the device awake, etc.

An application's process runs in a security sandbox. The sandbox is designed to prevent applications from disrupting each other, except by explicitly declaring the permissions they need for additional capabilities not provided by the basic sandbox. The system handles requests for permissions in various ways, typically by automatically allowing or disallowing based on certificates or by prompting the user. The permissions required by an application are declared statically in that application, so they can be known up-front at install time and will not change after that.

Yep, another biased and uninformed post on Macrumors about anything not Apple. But hey, anything that rials the troops to keep traffic up on this site, so that more peeps will see adds is a good thing... Well, that goes for us that don't block your adds, or are using mobile device capable of browsing the web just like a desktop. <-- Waiting for an ignorant response to this comment.

All apps bought in Android Market Place, at least under Froyo 2.2, state exactly what privileges they're requesting PRIOR to installing. You can also view what privileges an app has under Application Managements. By installing an application, you're giving it permission. This is the SAME for OS X, or Windows, or an other full fledged Operating Systems.

And a few high quality apps. I second Eric S's comment. Who the freak is Jon Johansen? From where I stand, the guy is an ignoramus.

It goes both ways you turkeys. Both Market Places aren't exactly over flowing in high-quality apps. The DIFFERENCE is that everything I wanted to do under iOS, but was not allowed to do, or was not available, was either part of my Nexus One under Froyo, or was available in the Market place. I didn't need to jailbreak my phone to make it work as I wanted, let alone PAY Google to upgrade it to fix bugs, which was the case on my Touch,where as I paid Apple $10 to fix some of their bugs.

Did you even read the reports? They know about the privileges and the sandboxing and everything. The security is excellent on the Andriod.

That's just not the issue. The issues are that users can be mislead to allow the applications gain the privileges. If the GPS app is installed and ask for GPS privileges as well as internet so that it download maps, the user has reasonable expectations that it's only for GPS/maps. Since there's nobody to test this claim at the marketplace, another developer can create the same GPS application and use the GPS/Internet privileges to actually transmit other type of information. This has been done already as Google pulled those apps out AFTER they were made aware of it.


Think of it this way, you expect Walmart's pharmacy to actually make sure the pills they give you are actually the right pills. That's their responsibility to make sure and tested against the company. Google is more like Walmart just taking pills from any seemingly legit drug company and expect what THEY said is what the pill is. For all Google knows, the pills could just be sugar pills and they are marketing it as something else. Google controls the marketplace, we expect them to actually review the applications but they don't need to lock the store down like Apple.

 

[JackAxe]

+1

+2

+3

The torch has been passed.

-160,000,000,000,000 - 10 - 11 -50 - dog;

Besides these posts being purely childish, which I'm glad to take part of, what are you guys really contributing to this thread besides ignorance?

Plus one to the post that has my ignorant views, as I don't have relevent experience, only experience based on subjective comments and assumptions. AWESOME!

 

[rockosmodurnlif]

I'm rereading "Atlas Shrugged" and this whole app ecosystem is a prime example of how a lack of individual responsibility can lead to a socialist police state.

What are you on about man? "Socialist police state"? This is how words lose their value, when people just start throwing them around like so many crushed paper balls.

 

[Warbrain]

The issues are that users can be mislead to allow the applications gain the privileges.

Correction: The issue is that most users blindly click "accept" or "yes" to any prompt that comes up because they treat their smartphone like their computer.

The issue is people are dumb and don't read, not that they can be mislead.

 

[rockosmodurnlif]

-160,000,000,000,000 - 10 - 11 -50 - dog;

Besides these posts being purely childish, which I'm glad to take part of, what are you guys really contributing to this thread besides ignorance?

Plus one to the post that has my ignorant views, as I don't have relevent experience, only experience based on subjective comments and assumptions. AWESOME!

Where's the "Like" button for this comment?

 

[dogie678]

-160,000,000,000,000 - 10 - 11 -50 - dog;

Besides these posts being purely childish, which I'm glad to take part of, what are you guys really contributing to this thread besides ignorance?

Plus one to the post that has my ignorant views, as I don't have relevent experience, only experience based on subjective comments and assumptions. AWESOME!

just in case you missed this.

Security researcher creates botnet for Android, tricks 300 users to download the app

http://blogs.forbes.com/firewall/20...letes-and-downplays-botnet-demo-android-apps/

 

[Warbrain]

Where's the "Like" button for this comment?

Over in the corner next to the company we should all be concerned about - Facebook.

 

[savar]

The fact that a security researcher was able to trick 300+ Android users to download the app proves that Androids security isinadequate.

http://blogs.forbes.com/firewall/20...letes-and-downplays-botnet-demo-android-apps/

if Oberheide hadn't presented his research at the SummerCon hacker conference there's no reason to believe that Google would have been aware of the existence of this rogue app in the first place.

what's preventing a hacker from creating a real nasty spyware masquerading as the latest twilight or harry potter app?

I agree with you that it's a problem, but who's to say this isn't possible in the iOS app store?

The guy probably posted it on the Android store because presumably it's free to create and post apps there, whereas he would have paid $99 to do the same on the iOS store. Who wants to pay $99 just to make a point at your SummerCon lecture when it can be done for free?

EDIT: Somebody pointed out to me that it costs money to post an app on the Android store. Mea culpa.

The root cause here doesn't seem easily solvable -- how do you prevent applications from pretending to be one thing and then doing another?

 

[thetexan]

Few high quality apps. Seriously? This is from today only:

-I used Google maps to find a store I was looking for at home, I "starred" it and it was on my phone right away. I didn't even have to type a thing on my phone. I used my FREE navigation to get me right to the driveway.

-At Target I used the barcode app to see if the comforter set I wanted to buy my girlfriend was a good deal. It was.

-At the track I used CardioTrainer. This application uses GPS to track how fast I ran, how far I ran, and how many calories I burned.

-While CardioTrainer ran and tracked my progress, I listened to music stored on my SD card. Halfway through I switched over to Shoutcast.

-On my way home I decided to listen to Last.fm instead of stuff on my SD card. Since last.fm is able to scrobble in the background unhindered I get pretty good recommendations on new music.

-I used Ringdroid to take a snippet of a song I wanted to use as a ringtone. It's as easy as selecting the song and pointing out a "start" and "end" point, then saying set as ringtone.

- I used another application to download a new SMS notification sound. I'm bored with the one I've been using.

-I used a Jabber application to sit on Facebook chat for a bit while my home internet connection was down.

-I missed a call while I was in the shower, so I used Google Voice to read a transcript of the voicemail. I decided it wasn't worth a call back without having to even listen to the voicemail.

That's all I can think of for just today. I'm sure I'm missing something.

Edit: I forgot the best one:

-Backup to Gmail: This application runs several times per day in the background, and it uses IMAP to backup all of my SMS and MMS messages plus my call log to gmail. I literally have an archive of all of my SMS and MMS messages backed up that'll be there as long as Google keeps running gmail.

 

[dogie678]

Correction: The issue is that most users blindly click "accept" or "yes" to any prompt that comes up because they treat their smartphone like their computer.

The issue is people are dumb and don't read, not that they can be mislead.

Yes. on Android phones when you click "accept" there's a chance that you may be using spyware.

That's not going to happen on an iPhone.

 

[dogie678]

I agree with you that it's a problem, but who's to say this isn't possible in the iOS app store?

The guy probably posted it on the Android store because presumably it's free to create and post apps there, whereas he would have paid $99 to do the same on the iOS store. Who wants to pay $99 just to make a point at your SummerCon lecture when it can be done for free?

The root cause here doesn't seem easily solvable -- how do you prevent applications from pretending to be one thing and then doing another?

it's less likely to happen on iPhones. the App store is currated. Plus, Apple has your contact information. You create a malicious iPhone app, you go to jail.

 

[Warbrain]

Yes. on Android phones when you click "accept" there's a chance that you may be using spyware.

That's not going to happen on an iPhone.

There's a chance on ANY operating system that you could be allowing spyware to run. It can happen on any iOS device. Security holes exist in Safari that would allow for remote code execution...

 

[dogie678]

There's a chance on ANY operating system that you could be allowing spyware to run. It can happen on any iOS device. Security holes exist in Safari that would allow for remote code execution...

check my previous post.

"it's less likely to happen on iPhones. the App store is currated. Plus, Apple has your contact information. You create a malicious iPhone app, you go to jail."

 

[Nykwil]

This in place, just in case a malicious application is distributed. It's both a good thing and a scary thing. As of right now, even though Google has potential to be EVIL, I have more faith in them than Apple -- who's already demonstrated they'll abuse their position.

Let's not paint google as some white knight on a horse, google collects your user data, and lots of it. Your search results, what your searching for, your user habits. Imagine how often you use google's services on a daily basis. They have tons of sensitive information on your daily life. Neither company apple or google is innocent in terms of what they want to do with our private info. Bottom line: they wanna get rich off of it. However apple is straight up about it. You can opt out of iads content relevant to you, you can opt out of location services on the iPhone. My daily usage of google, reader, gmail etc I can't opt out of the info they collect on me in those apps, it's less so apparent, but don't be naive, google collects just as much, if not more info than apple does on usage patterns from everyone. And with google, u don't need a phone to have your information collected. I don't use safari on my Mac and worry about the browser taking my usage patterns and selling it, but I would so if I used chrome, because google makes the most of it's money selling and targeting ads. That is not the case with apple. An android device is a means for google to get it's ads to you in every way they can.

 

[ELScorcho9]

Few high quality apps. Seriously? This is from today ....

-I missed a call while I was in the shower, so I used Google Voice to read a transcript of the voicemail. I decided it wasn't worth a call back without having to even listen to the voicemail.

That's all I can think of for just today. I'm sure I'm missing something.

Why would you hear a transcript of the voicemail as opposed to just listening to the voicemail?

 

[Warbrain]

check my previous post.

"it's less likely to happen on iPhones. the App store is currated. Plus, Apple has your contact information. You create a malicious iPhone app, you go to jail."

But that doesn't prevent anything from being run through Safari. Yes, an app possibly couldn't but a website or a web app could.

 

[aaronsullivan]

I agree with you that it's a problem, but who's to say this isn't possible in the iOS app store?
...
The root cause here doesn't seem easily solvable -- how do you prevent applications from pretending to be one thing and then doing another?

It IS easily solvable and it's not possible in the iOS app store. Check every app (twice) before allowing it in the store. This is what Apple does. Yay!

Perhaps it will have to have tougher checking in the future as malicious devs get more clever, but it's quite possible to manage, apparently.

There are downsides but that is a massive upside.

(bah, cross-posting)

 

[MikieMcBikie]

anyone else feel the need to write antivirus software for the "non" apple phones yet? My god with all the "install anything that gets published" people i talk to, i almost want to steal their information lol...but i won't

go ahead, trust in google, OR apple. they got your back....Muh-hahahaha

 

[savar]

I would love to see a geographic distribution with full proxy jumper traces on where this malware is coming from.

"Proxy jumper trace" -- what are you talking about?

 

[Warbrain]

anyone else feel the need to write antivirus software for the "non" apple phones yet? My god with all the "install anything that gets published" people i talk to, i almost want to steal their information lol...but i won't

go ahead, trust in google, OR apple. they got your back....Muh-hahahaha

http://campaigns.f-secure.com/mobile-security/index.html

Specifically for Android: http://www.f-secure.com/en_EMEA/products/mobile/mobile-security/Mobile_security_android.html

 

[ramuman]

I agree with you that it's a problem, but who's to say this isn't possible in the iOS app store?

The guy probably posted it on the Android store because presumably it's free to create and post apps there, whereas he would have paid $99 to do the same on the iOS store. Who wants to pay $99 just to make a point at your SummerCon lecture when it can be done for free?

The root cause here doesn't seem easily solvable -- how do you prevent applications from pretending to be one thing and then doing another?

I'm sure that if he could have done it that easily on iOS, he would have. The publicity would be far greater if he had been able to do this to an Apple device rather than a Google device.

The root cause is that anyone can get the Android SDK and write a program and upload it to the marketplace as easily as they can upload a video to YouTube.

I wouldn't completely defend Apple everywhere, but I think they have the right intent here with this aspect of the App Store. Their high profile rejections likely mask the number of spurious apps they've rejected.

 

[dogie678]

Let's not paint google as some white knight on a horse, google collects your user data, and lots of it. Your search results, what your searching for, your user habits. Imagine how often you use google's services on a daily basis. They have tons of sensitive information on your daily life. Neither company apple or google is innocent in terms of what they want to do with our private info. Bottom line: they wanna get rich off of it. However apple is straight up about it. You can opt out of iads content relevant to you, you can opt out of location services on the iPhone. My daily usage of google, reader, gmail etc I can't opt out of the info they collect on me in those apps, it's less so apparent, but don't be naive, google collects just as much, if not more info than apple does on usage patterns from everyone. And with google, u don't need a phone to have your information collected. I don't use safari on my Mac and worry about the browser taking my usage patterns and selling it, but I would so if I used chrome, because google is makes the most of it's money selling and targeting ads. That is not the case with apple. An android device is a means for google to get it's ads to you in every way they can.

exactly. Google is EVIL.

http://news.cnet.com/8301-30686_3-20008286-266.html?tag=newsEditorsPicksArea.0

Google snagged passwords, e-mail. Lawsuits filed against Google in US

 

[thetexan]

Why would you hear a transcript of the voicemail as opposed to just listening to the voicemail?

Read a transcript. Google voice will transcribe the voicemail into text. It's not perfect but it's close enough for you to get the reason for the message.